AMENDMENTS TO THE CLAIMS 



This listing of claims will replace all prior versions and listings of claims in the 
application. 

1 . (currently amended) A method for providing access services, comprising th e st e ps 

ef: 

receiving user session state information for a first use r at an application program interface 
for an access system, said user session state information is from an application without a web 
agent front end ; 

r e c e iving resourc e r e qu e st information for a first r e sourc e ; 

receivin g, at said application program interface, a request to authorize said first user to 
access said first resource, said request to authorize is from an said application without a web 
agent front end; and 

att e mpting providing authorization services of said access system to said application 
using said application program interface in an attempt to authorize said first user to access said 
first resource without requiring said first user to re-submit authentication credentials. 

2. (original) A method according to claim 1, wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user. 

3. (original) A method according to claim 1, wherein: 

said user session state information is from a cookie stored on a client for said first user; 
said user session state information is encrypted; and 

said step of receiving user session state information includes decrypting said user session 
state information. 

4. (original) A method according to claim 3, further including the steps of: 
receiving a request from said application for unencrypted data from said user session 
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state information; and 

providing said unencrypted data from said user session state information to said 
application, said application does not have access to a key to decrypt said user session state 
information. 

5. (original) A method according to claim 4, wherein: 
said unencrypted data includes an identity for said first user. 

6. (original) A method according to claim 1, wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user, said session state information was created by an access system; and 
said access system performs said step of attempting to authorize. 

7. (currently amended) A method according to claim 1 , wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user, said user session state information was created by an access system and provided 
to said application by said access system; 

said application caused said session token to be stored in said cookie; and 

said access system p e rforms said st e p of att e mpting attempts to authorize said first user . 

8. (original) A method according to claim 1, wherein said user session state 
information includes: 

an identity for said first user; 

an authentication level for said first user; and 

a session start time for said first user. 

9. (original) A method according to claim 1, wherein said resource request 
information includes: 

an identification of a resource type; 
an identification of a resource; and 
an identification of an operation. 
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10. (original) A method according to claim 1, wherein said resource request 
information includes: 

an identification of a resource type; 
an identification of a resource; 
an identification of an operation; and 
query string information. 

11. (original) A method according to claim 1, wherein said resource request 
information includes: 

an identification of a resource type; 
an identification of a resource; 
an identification of an operation; and 
post data information. 

12. (original) A method according to claim 1, wherein: 
said web agent front end is a Web Gate. 

13. (currently amended) A method according to claim 1 5 wherein: 

said step of att e mpting attempt to authorize is based on said user session state information 
and said resource request information. 

14. (original) A method according to claim 1, further comprising the steps of: 
creating a resource request object, said resource request object represents a request to 

access said first resource; and 

creating a user session object, said user session object represents said first user after said 
first user has been authenticated. 

15. (original) A method according to claim 1, further comprising the steps of: 
determining whether said first resource is protected; 

determining an authentication scheme for said first resource; and 
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determining whether said authentication scheme is satisfied based on said user session 
state information. 



16. (original) A method according to claim 15, further comprising the steps of: 
making available to said application an indication of whether said first resource is 

protected; and 

making available to said application an indication of said authentication scheme. 

17. (original) A method according to claim 1, further comprising the step of: 
determining one or more authentication actions for said first resource. 

1 8. (original) A method according to claim 17, further comprising the step of: 
making available to said application an indication of said one or more authentication 

actions for said first resource. 



1 9. (original) A method according to claim 1 7, further comprising the step of: 
performing at least one of said authentication actions for said first resource. 

20. (original) A method according to claim 1, further comprising the step of: 
determining one or more authorization actions for said first resource. 

21. (original) A method according to claim 20, further comprising the step of: 
making available to said application an indication of said one or more authorization 

actions for said first resource. 



22. (original) A method according to claim 20, further comprising the step of: 
performing at least one of said authorization actions for said first resource. 



23. (original) A method according to claim 1, further comprising the step of: 
determining one or more audit rules for said first resource. 
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24. (original) A method according to claim 23, further comprising the step of: 
making available to said application an indication of said one or more audit rules for said 

first resource. 

25. (original) A method according to claim 23, further comprising the step of: 
performing at least one of said audit rules for said first resource. 

26. (original) A method according to claim 1, further comprising the step of: 
allowing said first user to access said first resource if said first user is authorized to access 

said first resource. 

27. (currently amended) A method for providing access services by an application 
without a web agent front end, comprising th e st e ps of : 

receivin g, at an application, an electronic request from a first user to access a first 
resource, said step of receiving includes receiving information from a cookie; 

providing said information from said cookie to an a pplication program interface for an 
access system acc e ss syst e m int e rfac e; and 

with said application, accessing authorization services of said access system using said 
application program interface, said accessing includes requesting said access system interface to 
authorize said first user to access said first resource based on information from said electronic 
request from said first user and based on said information from said cookie. 

28. (original) A method according to claim 27, wherein: 
said information from said cookie is encrypted. 

29. (original) A method according to claim 28, further comprising the steps of: 
requesting unencrypted data from said information from said cookie, said request being 

made to said access system interface; and 

receiving said unencrypted data from said access system interface. 

30. (original) A method according to claim 29, wherein: 
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said application does not have access to a key for decrypting said information from said 

cookie. 

3 1 . (original) A method according to claim 27, further comprising the steps of: 
requesting data from said information from said cookie, said request being made to said 

access system interface; 

receiving said data from said access system interface; and 
using said data for an access system service. 

32. (original) A method according to claim 27, wherein: 

said information from said cookie was originally provided by a first web agent.. 

33. (original) A method according to claim 27, wherein: 

said information from said cookie was originally provided by said access system 
interface. 

34. (original) A method according to claim 27, further comprising the steps of: 
determining whether said first resource is protected; 

determining an authentication scheme for said first resource; 

determining whether said authentication scheme is satisfied based on said information 
from said cookie; and 

determining whether said first user is authorized to access said first resource. 

35. (original) A method according to claim 34, further comprising the step of: 
allowing said first user to access said first resource if said first user is authorized to access 

said first resource. 

36. (currently amended) One or more processor readable storage devices having 
processor readable code embodied on said processor readable storage devices, said processor 
readable code for programming one or more processors to perform a method comprisin g th e st e ps 
ef: 
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receiving user session state information for a first use r at an application program interface 
for an access system, said user session state information is from an application without a web 
agent front end ; 

r e c e iving resourc e r e qu e st information for a first r e source; 

receivin g, at said application program interface, a request to authorize said first user to 
access said first resource, said request to authorize is from an said application without a web 
agent front end; and 

att e mpting providing authorization services of said access system to said application 
using said application program interface in an attempt to authorize said first user to access said 
first resource without requiring said first user to re-submit authentication credentials. 

37. (original) One or more processor readable storage devices according to claim 36, 
wherein: 

said user session state information is from a cookie stored on a client for said first user; 
said user session state information is encrypted; and 

said step of receiving user session state information includes decrypting said user session 
state information. 

3 8 . (original) One or more processor readable storage devices according to claim 3 7, 
wherein said method further comprises the steps of: 

receiving a request from said application for unencrypted data from said user session 
state information; and 

providing said unencrypted data from said user session state information to said 
application, said application does not have access to a key to decrypt said user session state 
information. 

39. (currently amended) One or more processor readable storage devices according to 
claim 36, wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user, said session state information was created by an access system; and 

said access system performs said st e p of attempting attempts to authorize said first user . 
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40. (original) One or more processor readable storage devices according to claim 36, 
wherein said method further comprises the steps of: 

determining whether said first resource is protected; 
determining an authentication scheme for said first resource; 

determining whether said authentication scheme is satisfied based on said user session 
state information; 

making available to said application an indication of whether said first resource is 
protected; and 

making available to said application an indication of said authentication scheme. 

4 1 . (original) One or more processor readable storage devices according to claim 36, 
wherein said method further comprises the steps of: 

determining one or more authorization actions for said first resource; and 
making available to said application an indication of said one or more authorization 
actions for said first resource. 

42. (original) One or more processor readable storage devices according to claim 36, 
further comprising the step of: 

allowing said first user to access said first resource if said first user is authorized to access 
said first resource. 

43. (currently amended) An apparatus, comprising: 
a communication interface; 

one or more storage devices; and 

one or more processors in communication with said one or more storage devices and said 
communication interface, said one or more processors programmed to perform a method 
comprising th e st e ps of : 

receiving user session state information for a first use r at an application program 

interface for an access system, said user session state information is from an application 

without a web agent front end, 
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r e ceiving r e source requ e st information for a first resourc es , 
receivin g, at said application program interface, a request to authorize said first 
user to access said first resource, said request to authorize is from an said application 
without a web agent front end, and 

att e mpting providing authorization services of said access system to said 
application using said application program interface in an attempt to authorize said first user to 
access said first resource without requiring said first user to re-submit authentication credentials. 

44. (original) An apparatus according to claim 43, wherein: 

said user session state information is from a cookie stored on a client for said first user; 
said user session state information is encrypted; and 

said step of receiving user session state information includes decrypting said user session 
state information. 

45. (original) An apparatus according to claim 44, wherein said method further 
comprises the steps of: 

receiving a request from said application for unencrypted data from said user session 
state information; and 

providing said unencrypted data from said user session state information to said 
application, said application does not have access to a key to decrypt said user session state 
information. 

46. (currently amended) An apparatus according to claim 43, wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user, said session state information was created by an access system; and 

said access system p e rforms said st e p of att e mpting attempts to authorize said first user . 

47. (original) An apparatus according to claim 43, wherein said method further 
comprises the steps of: 

determining whether said first resource is protected; 
determining an authentication scheme for said first resource; 
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determining whether said authentication scheme is satisfied based on said user session 
state information; 

making available to said application an indication of whether said first resource is 
protected; and 

making available to said application an indication of said authentication scheme. 

48. (original) An apparatus according to claim 43, wherein said method further 
comprises the steps of: 

determining one or more authorization actions for said first resource; and 
making available to said application an indication of said one or more authorization 
actions for said first resource. 

49. (original) An apparatus according to claim 43, further comprising the step of: 
allowing said first user to access said first resource if said first user is authorized to access 

said first resource. 

50. (currently amended) One or more processor readable storage devices having 
processor readable code embodied on said processor readable storage devices, said processor 
readable code for programming one or more processors to perform a method for providing access 
services by an application without a web agent front end, the method comprising th e st e ps of : 

receivin g, at an application, an electronic request from a first user to access a first 
resource, said step of receiving includes receiving information from a cookie; 

providing said information from said cookie to an application program interface for an 
access system acc e ss syst e m interface ; and 

with said application, accessing authorization services of said access system using said 
application program interface, said accessing includes requesting said access system interface to 
authorize said first user to access said first resource based on information from said request from 
said first user and based on said information from said cookie. 

5 1 . (original) One or more processor readable storage devices according to claim 50, 
wherein: 
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said information from said cookie is encrypted; and 

said method further comprises the steps of: 

requesting unencrypted data from said information from said cookie, said request 
being made to said access system interface, 

receiving said unencrypted data from said access system interface, and 
using said unencrypted data for an access system service. 

52. (original) One or more processor readable storage devices according to claim 5 1 , 
wherein: 

said application does not have access to a key for decrypting said information from said 

cookie. 

53. (cancelled) 

54. (cancelled) 

55. (cancelled) 

5 6 . (currently amended) A method for providing access services, comprising th e steps 

ef: 

authenticating a first user; 

causing user session state information to be stored at a client for said first user; 
authorizing said first user to access a first protected resource; 

receiving a request from an application without a web agent front end to allow said first 
user to access a second protected resource, said step of receiving a request includes receiving said 
user session state information from said application; and 

allowing authorizing said first user to access said second protected resource without 
requiring said first user to re-submit authentication credentials, if said first user is authorized to 
access said second protected resource. 

57. (original) A method according to claim 56, wherein: 
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said user session state information is from a cookie stored on a client for said first user; 
said user session state information is encrypted; and 

said step of receiving includes decrypting said user session state information. 

58. (original) A method according to claim 57, further including the steps of: 
receiving a request from said application for unencrypted data from said user session 

state information; and 

providing said unencrypted data from said user session state information to said 
application, said application does not have access to a key to decrypt said unencrypted data from 
said user session state information. 

59. (original) A method according to claim 56, wherein: 

said user session state information is a session token from a cookie stored on a client for 
said first user, said session state information was created by an access system; and 
said access system performs said step of allowing. 

60. (original) A method according to claim 56, further comprising the steps of: 
determining whether said second resource is protected; 

determining an authentication scheme for said second resource; 
determining whether said authentication scheme is satisfied based on said user session 
state information; 

making available to said application an indication of whether said first resource is 
protected; and 

making available to said application an indication of said authentication scheme. 

61. (new) A system, comprising: 
a client; 

at least one application adapted to receive a request from said client for a user to 
access a first resource, said request includes information from a cookie; 

an access server adapted to provide authorization services for requests to access said 
first resource; and 
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an application program interface for said access server, said application program 
interface receives said information from said cookie and a request from said at least one 
application to authorize said first user to access said first resource, said application program 
interface provides said authorization services to said at least one application by attempting to 
authorize said first user to access said first resource based on information from said request 
from said first user and based on said information from said cookie. 

62. (new) The system of claim 6 1 , wherein: 
said information from said cookie is encrypted; 

said application does not have access to a key for decrypting said information from said 

cookie; 

said application requests unencrypted data from said information from said cookie, said 
request being made to said application program interface; and 

said application receives said unencrypted data from said application program 
interface and uses said unencrypted data for an access system service. 

63. (new) The system of claim 61, wherein: 
said access system includes an access server; and 

said application program interface for said access system is not located at said access 

server. 
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